Ten Reasons to buy Windows Vista

[Warrior]

I fix CMS bugs as I encounter them and usually within the hour or within the day. I think I even discussed how I would implement the error subsystem into the core to allow easy bug reporting.

What if the user wants to make a specific change that would only benefit their situation?  Would you be willing to code that for them?  Or would you just say "No, it's a waste of my time."  I'm not saying that you should feel inclined to meet all of your customer's application; I recognize that you'd probably just want them to choose another product that allowed this sort of thing.  However, I do wish to make you aware of such situations to be certain.

Good point, I've thought about this extensively. I've tried to make my system as modular as possible. Static data represented with "Pages" built into the core and Dynamic data with Modules. What I'd like to deal with is features the core lack to give them that freedom. Portions of the CMS like MPI will be open so users can extend it and I will see about comitting useful enough functions into the core build. Seems like a nice compromise right?

Back on the topic of Linux: Linux cannot run every windows driver. Linux depends off windows. I don't understand how you can't see that. Until you strike exclusive deals with OSes and get specifications under an NDA, I don't think you should be dissing an OS you take so much from .

In retrospect, Windows depends on Linux.  Most of the internet runs on Linux.  Without the internet, Windows would be huge amounts less useful.  They're part of a global scene: technology.  All of technology has a very high possibility have having dependancies or at least having some sort of encounter with another arbitrary piece of technology.  I'm not saying Linux can run every Windows driver.  In fact, I'm fairly certain that it can't run any Windows driver (literally, anyway).  There are generally alternatives that work just as well, though.  I'm not saying for every Windows driver, there is an equally well functioning Linux driver, but I am saying that Linux can be just as functional as Windows (driver-wise), given you have compatable devices (which are most devices on the market).

I'll agree with you there.  I think they've worked with what they have (which is what OSDever's must do) and have written an OS. That in it'self is respectable, to anyone who can write an OS deserves my respect. I may be blaming the wrong people for the wrong thing but a few people with bad attitudes are enough to give me an opinion based on a whole crowd, sadly enough I've seen nothing to make me think otherwise. Just trying to restate my point in a less heated manner.

[Sidoh]

Good point, I've thought about this extensively. I've tried to make my system as modular as possible. Static data represented with "Pages" built into the core and Dynamic data with Modules. What I'd like to deal with is features the core lack to give them that freedom. Portions of the CMS like MPI will be open so users can extend it and I will see about comitting useful enough functions into the core build. Seems like a nice compromise right?

So you plan on allowing users to code their own modules, correct?  You also plan to provide the source to the MPI and allow them to edit that?  That sounds like a great deal to me.  Nothing wrong with that.  At that rate, why don't you make the whole thing open source?!

I'll agree with you there.  I think they've worked with what they have (which is what OSDever's must do) and have written an OS. That in it'self is respectable, to anyone who can write an OS deserves my respect. I may be blaming the wrong people for the wrong thing but a few people with bad attitudes are enough to give me an opinion based on a whole crowd, sadly enough I've seen nothing to make me think otherwise. Just trying to restate my point in a less heated manner.

And I'll agree with you that a negative attitude definitely can be rationale to deem a certain group a negative group.  As long as you know it's a prejudice decision, you're fine.

[Warrior]

Good point, I've thought about this extensively. I've tried to make my system as modular as possible. Static data represented with "Pages" built into the core and Dynamic data with Modules. What I'd like to deal with is features the core lack to give them that freedom. Portions of the CMS like MPI will be open so users can extend it and I will see about comitting useful enough functions into the core build. Seems like a nice compromise right?

So you plan on allowing users to code their own modules, correct?  You also plan to provide the source to the MPI and allow them to edit that?  That sounds like a great deal to me.  Nothing wrong with that.  At that rate, why don't you make the whole thing open source?!

Trying to weigh out if the added protection from exploitation and the ease of deployment work out, at this point it may go either way.

[Sidoh]

Trying to weigh out if the added protection from exploitation and the ease of deployment work out, at this point it may go either way.

Which are you considering?  The release of the MPI as an open source portion?  Obviously, I'm going to strongly recommend that you release it open source.

[Warrior]

No the release of the core as open source. Don't know if I'd like to keep encrypting it. It could get annoying fast.

[Sidoh]

No the release of the core as open source. Don't know if I'd like to keep encrypting it. It could get annoying fast.

Hehe, I personally think it would become too much of a nuicance to maintain in such a fashion.  That's a totally subjective conclusion, though.

[iago]

What makes you think that hiding your source is going to create less exploits?  It seems to me that more exploits can be found/fixed if it's open source so there will be less exploits to worry about. 

Of course, from what I've seen in your code, I guess I understand

[Warrior]

What makes me think that? The current state of security on the internet.
FD only works if the company doesn't cooperate with the person who discovered it. I on the otherhand intend to fully cooperate provided PoC code is presented.

If someone with a malicious intent find an exploit chances are he will keep it to himself so the difference between open source/closed source is transparent there.

I don't know what you mean by that last comment however.

[iago]

What makes me think that? The current state of security on the internet.
FD only works if the company doesn't cooperate with the person who discovered it. I on the otherhand intend to fully cooperate provided PoC code is presented.

That's one of the major problems with Microsoft.  Not only do you have to find a vulnerability in their code, you also have to program a PoC exploit for it, and in many cases explain to them why it's a vulnerability.  So most people just say "screw it" and disclose it publicly.  I've posted a pretty good quote about Microsoft's procedure here, search my posts for "Zalewski" if you're interested (he's the author of the quote). 

If someone with a malicious intent find an exploit chances are he will keep it to himself so the difference between open source/closed source is transparent there.

How many people do you really know with malicious intent compared to the people you know with no malicious intent?  I have a pretty positive view of people in general, and I really have found that most people ARE genuinely good.  I know of very few 0-day exploits being discovered in open-source code, but I know of several that people have sold/traded for Windows (WMF, 2 Excel ones).  That seems to deny that there will be more 0-day exploits in open-source code. 

I don't know what you mean by that last comment however.

Sorry, I was thinking back to when zorm was re-coding x86's homepage after you were finished.  He had a thing or two to say about the security of your code

[Warrior]

What makes me think that? The current state of security on the internet.
FD only works if the company doesn't cooperate with the person who discovered it. I on the otherhand intend to fully cooperate provided PoC code is presented.

That's one of the major problems with Microsoft.  Not only do you have to find a vulnerability in their code, you also have to program a PoC exploit for it, and in many cases explain to them why it's a vulnerability.  So most people just say "screw it" and disclose it publicly.  I've posted a pretty good quote about Microsoft's procedure here, search my posts for "Zalewski" if you're interested (he's the author of the quote). 

It's pretty logical to make people provide PoC, I'm not going to go bug hunting because someone says "I have an exploit" chances are they probably have the code they used to test the exploit so I don't see the problem in showing an example. I'd most likely want PoC code only, pretty obvious it's an exploit if it causes the core to behave other than intended.

If someone with a malicious intent find an exploit chances are he will keep it to himself so the difference between open source/closed source is transparent there.

How many people do you really know with malicious intent compared to the people you know with no malicious intent?  I have a pretty positive view of people in general, and most people ARE genuinely good. 

True however if there were absolutely none then there would be no need for worrying. Since they DO exist I'm not going to assume they are good. I'll only think someone is good when they show me they are.

[iago]

It's pretty logical to make people provide PoC, I'm not going to go bug hunting because someone says "I have an exploit" chances are they probably have the code they used to test the exploit so I don't see the problem in showing an example. I'd most likely want PoC code only, pretty obvious it's an exploit if it causes the core to behave other than intended.

So if I say, "the code at this address is vulnerable because whatever, see?"  And they say, "no thanks, code an exploit first" (actually, they just don't respond).  What do I do?  The obvious thing is to fully disclose the vulnerability and let somebody else develop an exploit for whatever purpose. 

The important thing to remember is that, when this happens in an open-source program, the users can protect themselves.  In a closed-source program, users are screwed until the person who puts it out fixes it.  What if they're on vacation?  What if they're dead?  Your program is now useless. 

True however if there were absolutely none then there would be no need for worrying. Since they DO exist I'm not going to assume they are good. I'll only think someone is good when they show me they are.

I don't wear a bullet proof vest while I'm walking downtown, but I know that people get shot. 

I'm pretty sure that you think I'm good, but I haven't proven it. 

You have to draw a line in the sand between trust and suspicion. 

[Warrior]

It's pretty logical to make people provide PoC, I'm not going to go bug hunting because someone says "I have an exploit" chances are they probably have the code they used to test the exploit so I don't see the problem in showing an example. I'd most likely want PoC code only, pretty obvious it's an exploit if it causes the core to behave other than intended.

So if I say, "the code at this address is vulnerable because whatever, see?"  And they say, "no thanks, code an exploit first" (actually, they just don't respond).  What do I do?  The obvious thing is to fully disclose the vulnerability and let somebody else develop an exploit for whatever purpose. 

The important thing to remember is that, when this happens in an open-source program, the users can protect themselves.  In a closed-source program, users are screwed until the person who puts it out fixes it.  What if they're on vacation?  What if they're dead?  Your program is now useless. 

If it's an error outside the core in one of the publicly availible libraries they can submit the exploit and the offending code with a description of what goes wrong and I'll fix it and merge it into the source tree.

Now if the error is found in the non open source part of the code (core) then I'd ask for some PoC code because they can't just point at a line of code there. It's not me not believing them, it's more like me asking them to help me fix the bug.

I don't plan on dieing soon and when I go on vacation I'm usually on a laptop every night. Hell, if my project is alive so long that I'm  about to die then I'll release it open source. Here's my will: All of my work in my life that I have programmed should be made opensource under the PD license and given to the world. My brother will get none of my riches that I make from being so damn awesome, donate it or something. gl hf bb dd.

True however if there were absolutely none then there would be no need for worrying. Since they DO exist I'm not going to assume they are good. I'll only think someone is good when they show me they are.

I don't wear a bullet proof vest while I'm walking downtown, but I know that people get shot. 

I'm pretty sure that you think I'm good, but I haven't proven it. 

You have to draw a line in the sand between trust and suspicion. 

I know you and you've proven to be good multiple times around these forums so I'd have no reason
to suspect you, now someone who I don't know I'm not going to welcome with open arms. I'm not going to necessarily consider them the root of all evil but I'm going to act suspicious around them.

[iago]

If it's an error outside the core in one of the publicly availible libraries they can submit the exploit and the offending code with a description of what goes wrong and I'll fix it and merge it into the source tree.

Now if the error is found in the non open source part of the code (core) then I'd ask for some PoC code because they can't just point at a line of code there. It's not me not believing them, it's more like me asking them to help me fix the bug.

I don't plan on dieing soon and when I go on vacation I'm usually on a laptop every night. Hell, if my project is alive so long that I'm  about to die then I'll release it open source. Here's my will: All of my work in my life that I have programmed should be made opensource under the PD license and given to the world. My brother will get none of my riches that I make from being so damn awesome, donate it or something. gl hf bb dd.

You can get hit by a car tomorrow.  You never know what's going to happen in a couple years, either. 

I know you and you've proven to be good multiple times around these forums so I'd have no reason
to suspect you, now someone who I don't know I'm not going to welcome with open arms. I'm not going to necessarily consider them the root of all evil but I'm going to act suspicious around them.

I've never been proven to be good.  I've been proven not to be bad, perhaps, but there isn't really a way to prove that you're good. 

Like I said, there's a line in the sand that has to be drawn between "good" and "evil".  Nobody can ever prove that they aren't evil, you just have to trust them. 

[Warrior]

If I trust you, you're good. I trust you.

If I get hit by a car tomorrow then my CMS would never be finished but I see your point anyway. If it comes to the point where I die before I can write my will, then yes it would be lost.

[iago]

If I trust you, you're good. I trust you.

You shouldn't. 

If I get hit by a car tomorrow then my CMS would never be finished but I see your point anyway. If it comes to the point where I die before I can write my will, then yes it would be lost.

It's too bad that all your work would go to waste just because of your selfishness